When looking at any type of software, the concepts of security and privacy are often thrown together. Clearly, there is an overlap. However, in the context of file sharing services, whether they are collaboration tools or a dedicated virtual data room, there are differences to consider.
If you subscribe to a file sharing or secure data room service from a provider with a clear track record of delivering a quality product, there are some reasonable assumptions regarding the steps they are taking to secure your data. Those steps will typically be listed on the provider’s website and are likely to include a high-grade of data encryption at rest and in transit, a dedicated slice of a data center that has ISO 27001-type accreditation, and you'll read about system monitoring, disaster recovery, firewalls etc.
In addition, you may also see details around password protection- which can be a critical component, passwords are a weak link in any system that requires one. Security conscious CTOs will always look for a program offering two-factor authentication on log in as standard, it should not cost extra. Two-factor authentication requires a second piece of information in addition to the password, typically an SMS text code, to unlock access to your system. Well-designed software will make this a seamless step, not an interference.
You may go on to make a the not unreasonable assumption that because your data is well-secured, it is also being kept private. This may or may not be the case and there is benefit to digging deeper and understanding exactly what happens when you subscribe to a service. The provider's terms of service will usually tell most of the picture and there are three key areas to consider:
1) Who has access to your data at the provider's end?
- Engineers - there has to be some ultimate level of access, they built the system, they may need access to fix issues. However, are there internal controls to manage and monitor who and why data is being accessed? Are those people subject to background screening and what are the consequences for those who violate the rules?
- Support staff - Many data room providers and collaboration solution providers will have a support log in or "backdoor". If you're in a business where data sensitivity is low and you're sharing non-confidential information then that's probably not a consideration. If you are in the healthcare, life sciences, financial services, or defense space, or run a professional services firm where your client's data could get exposed, it could be a different story. The nature of the work conducted in virtual data rooms is usually highly confidential. M&A deals can affect share price so even a small snippet of information about who's buying who has potential value.
- Sales/marketing - Less likely to have access but still worth checking, particularly on the marketing side (see next point).
2) Are your users' information (particularly email address) kept private or are they marketed to?
Online data room services and file sharing tools have a very enticing characteristic for the provider and the provider's investors: When one person (or company) uses the service they will, almost by default, expose others to it. There's a viral effect that can help the rapid spread and adoption of the product.
Dropbox nailed this process by offering free data storage capacity to encourage users to "infect" their friends and associates, it has been extraordinarily successful. They hit the Holy Grail of subscription software marketing- an explosive viral multiplier- and anyone who runs a software as a service business should be both awed and jealous of that success! Other providers of collaboration and VDR services also market to their client's users trying to leverage the exposure they have gained from the initial user, some overtly, some more subtly.
As an individual consumer looking to share music files with friends this viral effect probably doesn't worry you and might even be a benefit (if you get free storage space and all your buddies are using the same tool there's no downside!). However, as a business user of a file sharing or virtual data room service do you want your users to be marketed to? If you are using a virtual data room it's likely because you need to work with investors, business partners, acquirers, lawyers or bankers during fund raising, M&A or other high-level business transactions. Maintaining a high degree of professionalism is important and causing any irritation for someone who might write you a big check might not be wise.
3) What is the software provider’s internal policies with regards information management?
Secure virtual data rooms are used to conduct private and often sensitive transactions. The nature of a data room use case, such as a merger or acquisition, can have a knock on effect for the share price of a listed company, that information has value and cannot enter the public domain.
Even if your data room provider encrypts your data, stores it in state of the art data centers and locks it's employees out of the data....there's still potential for information leakage, mainly through employees who may unwittingly, and with no ill will or intent, talk about a deal. It might be impossible to guarantee that this kind of inadvertent data leakage ever occurs, however, it's less likely to happen if the vendor has an internal code of silence and a known set of consequences for violators.
Other simple steps that the VDR vendor is taking are key: Support should never acknowledge the use of a data room with anyone other that the main admin or subscriber to the software. Any access to the data room by the vendor (via invitation or some other "backdoor" mechanism) should be by written consent of an officer of the client company. CRM systems (like Salesforce) should be password protected using two-factor authentication, strong passwords and short log out times. No use of client names without express written permission.
In summary there are very real differences between the steps a files sharing or virtual data room service provider take to secure your data as well as maintain your document privacy. Privacy of your data (i.e. no one is looking at it, ever), privacy of your users both within your company and with partners outside your business and, at a very basic level, software providers should be keeping the fact you use their service private unless there is specific written permission granted. Ask for these provisions in writing from your vendor if you think they are important and you can't identify them in their terms and conditions.